Package: libreoffice / 1:6.1.5-3

apparmor-kde.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
From c86e4ad53391d17d1eb54845b5999889f7e65061 Mon Sep 17 00:00:00 2001
From: Vincas Dargis <vindrg@gmail.com>
Date: Tue, 7 Aug 2018 20:34:21 +0300
Subject: apparmor: update program.soffice.bin for KDE

Add rules to fix file dialog and other issues with 6.2 alpha1 on Debian
Buster with KDE desktop.

Change-Id: Ib1b20c5809ac9bdea1bf2623eff4345fa42fd4f3
Reviewed-on: https://gerrit.libreoffice.org/58702
Tested-by: Jenkins
Reviewed-by: Jan-Marek Glogowski <glogow@fbihome.de>
Reviewed-by: Katarina Behrens <Katarina.Behrens@cib.de>
---
 sysui/desktop/apparmor/program.soffice.bin | 50 ++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/program.soffice.bin
index a680260..ebb012a 100644
--- a/sysui/desktop/apparmor/program.soffice.bin
+++ b/sysui/desktop/apparmor/program.soffice.bin
@@ -98,6 +98,7 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
   owner @{libo_user_dirs}/**~lock.*     rw,  #lock file support
   owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk,  #Open files rw with the right exts
   owner @{libo_user_dirs}/{,**/}lu??????????{,?}.tmp rwk, #Temporary file used when saving
+  owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
 
   # Settings
   /etc/libreoffice/                     r,
@@ -107,6 +108,9 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
   /proc/*/status                        r,
 
   owner @{HOME}/.config/libreoffice{,dev}/** rwk,
+  owner @{HOME}/.config/soffice.binrc rwl -> @{HOME}/.config/#[0-9]*,
+  owner @{HOME}/.config/soffice.binrc.* rwl -> @{HOME}/.config/#[0-9]*,
+  owner @{HOME}/.config/soffice.binrc.lock rwk,
   owner @{HOME}/.cache/fontconfig/**    rw,
   owner @{HOME}/.config/gtk-???/bookmarks r,  #Make bookmarks work
   owner @{HOME}/.recently-used          rwk,
@@ -174,9 +178,18 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
 
   #Likely moving to abstractions in the future
   owner @{HOME}/.icons/*/cursors/*      r,
+  /etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny?
   /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, # for libdrm
   /usr/share/*-fonts/conf.avail/*.conf  r,
   /usr/share/fonts-config/conf.avail/*.conf r,
+  /{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery()
+  /{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery()
+  @{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId()
+
+  #To avoid "Unable to create io-slave." for file dialog
+  owner /{,var/}run/user/[0-9]*/#[0-9]* rw,
+  #For KIO IO::Slave::createSlave()
+  owner /{,var/}run/user/[0-9]*/soffice.bin*.slave-socket wl ->  /{,var/}run/user/[0-9]*/#[0-9]*,
 
   owner @{HOME}/.mozilla/firefox/profiles.ini r,
   owner @{HOME}/.mozilla/firefox/*/secmod.db r,
@@ -184,6 +197,9 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
   owner @{HOME}/.mozilla/firefox/*/cert8.db r,
   # firefox >= 58
   owner @{HOME}/.mozilla/firefox/*/cert9.db r,
+
+  owner @{HOME}/.local/share/user-places.xbel r,
+
   # there is abstractions/gnupg but that's just for gpg1...
   profile gpg {
     #include <abstractions/base>
@@ -204,4 +220,38 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
   /usr/lib/*/qt5/plugins/** rm,
   /usr/share/plasma/look-and-feel/**/contents/defaults r,
 
+  # TODO: remove when rules are available in abstractions/kde
+  owner @{HOME}/.cache/ksycoca5_??_* r, # KDE System Configuration Cache
+  owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
+  owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
+  owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
+  owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
+  owner @{HOME}/.config/trashrc r, # user by KFileWidget
+  /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent
+
+  # TODO: remove when rules are available in abstactions/kde-write-icon-cache or similar
+  owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader
+
+  # TODO: remove when rules are available in abstractions/kdeframeworks5 or simiar
+  /usr/share/kservices5/*.protocol r,
+
+  # TODO: use qt5-settings-write abstraction when it is available
+  owner @{HOME}/.config/QtProject.conf rw,
+  owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
+  owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
+  owner @{HOME}/.config/QtProject.conf.lock rwk,
+
+  # TODO: use qt5-compose-cache-write abstraction when it is available
+  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r,
+
+  # TODO: use recent-documents-write abstaction when it is available
+  owner @{HOME}/.local/share/RecentDocuments/** r,
+  owner @{HOME}/.local/share/RecentDocuments/*.desktop rwl -> @{HOME}/.local/share/RecentDocuments/#[0-9]*,
+  owner @{HOME}/.local/share/RecentDocuments/#[0-9]* rw,
+  owner @{HOME}/.local/share/RecentDocuments/*.lock rwk,
+
+  # TODO: use kde-globals-write abstraction when it is available
+  owner @{HOME}/.config/kdeglobals rw,
+  owner @{HOME}/.config/kdeglobals.* rwl -> @{HOME}/.config/#[0-9]*,
+  owner @{HOME}/.config/kdeglobals.lock rwk,
 }
-- 
cgit v1.1

From 032c3f0d8403c6c7cdc60564641687bfb56cf9b3 Mon Sep 17 00:00:00 2001
From: Vincas Dargis <vindrg@gmail.com>
Date: Tue, 14 Aug 2018 22:11:39 +0300
Subject: apparmor: fix qt-related denies

Commit c86e4ad53391d17d1eb54845b5999889f7e65061 introduced qt-related
rules, like linking to ~/.config/#[0-9]* files, though does not allow to
write the files themselves, in result producing DENIED log entries if
AppArmor profile is enabled. This is fixed by adding read-write rule for
particular files.
Change-Id: I6441398c4fcfbfcf59ba5f5b3178682c1e5d1cd5
Reviewed-on: https://gerrit.libreoffice.org/59007
Tested-by: Jenkins
Reviewed-by: Rene Engelhard <rene@debian.org>
Tested-by: Rene Engelhard <rene@debian.org>
---
 sysui/desktop/apparmor/program.soffice.bin | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/program.soffice.bin
index dd71b94..cf6fd4b 100644
--- a/sysui/desktop/apparmor/program.soffice.bin
+++ b/sysui/desktop/apparmor/program.soffice.bin
@@ -236,6 +236,7 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
   /usr/share/kservices5/*.protocol r,
 
   # TODO: use qt5-settings-write abstraction when it is available
+  owner @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
   owner @{HOME}/.config/QtProject.conf rw,
   owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
   owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
-- 
cgit v1.1